Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Proxy Service’ Category

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Posted by Jorge on 2014-04-02


The guys from AskPFE have written an interesting series of building an ADFS lab on W2K12 and then upgrade that to ADFS on W2K12R2 .

How to Build Your ADFS Lab on Server 2012 Part 1

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

How to Build Your ADFS Lab on Server 2012 Part 3: ADFS Proxy

How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2

With regards to migrating ADFS v2.x to ADFS v3.0, also have a look at (2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Migration, Proxy Service, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Posted by Jorge on 2014-03-12


In this article Microsoft explains how to migrate from ADFS v2.x to ADFS v3.0. In this blog post I have added multiple PowerShell scripts to help you migrate as automated as possible.

!!! DISCLAIMER/REMARKS !!!

  • These scripts are freeware, you are free to distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it
  • These scripts are furnished "AS IS". No warranty is expressed or implied!
  • Always test first in lab environment to see if it meets your needs!
  • Use these scripts at your own risk!
  • I do not warrant these scripts to be fit for any purpose, use or environment
  • I have tried to check everything that needed to be checked, but I do not guarantee these scripts do not have bugs.
  • I do not guarantee these scripts will not damage or destroy your system(s), environment or whatever.
  • I do not accept any liability in any way if you screw up, use the scripts wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the scripts and delete it immediately!

!!! DISCLAIMER/REMARKS !!!

All scripts can also be downloaded from here.

+++++++++++++++++++++++++++++++++
++++++++++++++ PREPARE ++++++++++
+++++++++++++++++++++++++++++++++

# +++[P1]+++ Create Migration Folders #SCRIPT NAME --> "C:\TEMP\Create-Folders.ps1" New-Item "C:\ADFS-MIG" -ItemType Directory New-Item "C:\ADFS-MIG\Config" -ItemType Directory New-Item "C:\ADFS-MIG\Export" -ItemType Directory New-Item "C:\ADFS-MIG\Service" -ItemType Directory New-Item "C:\ADFS-MIG\Web" -ItemType Directory

++++++++++++++++++++++++++++++++

++++++++++++ EXPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[E1]+++ Output Federation Service Properties (On ADFS STS Only!) #SCRIPT NAME --> "C:\ADFS-MIG\Output-Federation-Service-Properties.ps1" If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") { Add-PSSnapIn Microsoft.ADFS.PowerShell } If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") { Import-Module ADFS } # Record ADFS Service Properties Get-Service -Name ADFSSRV | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt Get-WmiObject win32_service | ?{$_.name -eq "ADFSSRV"} | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt -Append # Record All ADFS Properties Get-ADFSProperties | Out-File C:\ADFS-MIG\Config\ADFSProperties.txt # Record All ADFS Endpoints Get-ADFSEndpoint | Out-File C:\ADFS-MIG\Config\ADFSEndpoint.txt # Record All ADFS Claim Descriptions Get-ADFSClaimDescription | Out-File C:\ADFS-MIG\Config\ADFSClaimDescription.txt # Record All ADFS Certificates Get-ADFSCertificate | Out-File C:\ADFS-MIG\Config\ADFSCertificate.txt # Record All ADFS Claims Provider Trusts Get-ADFSClaimsProviderTrust | Out-File C:\ADFS-MIG\Config\ADFSClaimsProviderTrust.txt # Record All ADFS Relying Party Trusts Get-ADFSRelyingPartyTrust | Out-File C:\ADFS-MIG\Config\ADFSRelyingPartyTrust.txt # Record All ADFS Attribute Stores Get-ADFSAttributeStore | %{ "##########" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append "Store Name. = " + $_.Name | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append "Store Class = " + $_.StoreTypeQualifiedName | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append "Store Config:" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append $_.Configuration.GetEnumerator() | %{ " * " + $_.Name + " = " + $_.Value | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append } "" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append }

# +++[E2]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!) #SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-STS.ps1" $privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..." $privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..." If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) { Write-Host "Passwords DO NOT Match..." Write-Host "Aborting..." BREAK } Else { $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx $ADFSCertificates = Get-ADFSCertificate $adfsSvcCommCert = $ADFSCertificates | ?{$_.CertificateType -eq "Service-Communications" -And $_.StoreLocation -eq "LocalMachine"} If (($adfsSvcCommCert | Measure-Object).Count -eq 1) { $adfsSvcCommCertThumbprint = $adfsSvcCommCert.Certificate.Thumbprint $adfsSvcCommCertName = "ADFS Service Communication Cert (STS)" $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint} If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) { $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert") [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER) $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1) [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX) } } $adfsTokenSignCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Signing" -And $_.StoreLocation -eq "LocalMachine"} If (($adfsTokenSignCert | Measure-Object).Count -ge 1) { $i = 1 $adfsTokenSignCert | %{ $adfsTokenSignCertThumbprint = $_.Certificate.Thumbprint $adfsTokenSignCertName = "ADFS Token Signing Cert (STS) (" + $i + ")" $adfsTokenSignCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenSignCertThumbprint} If ($adfsTokenSignCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenSignCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) { $adfsTokenSignCertBytesCER = $adfsTokenSignCertInLocalStore.export("Cert") [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".cer"), $adfsTokenSignCertBytesCER) $adfsTokenSignCertBytesPFX = $adfsTokenSignCertInLocalStore.export($certype, $privateKeyProtectionPWD1) [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".pfx"), $adfsTokenSignCertBytesPFX) } $i += 1 } } $adfsTokenEncryptCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Decrypting" -And $_.StoreLocation -eq "LocalMachine"} If (($adfsTokenEncryptCert | Measure-Object).Count -ge 1) { $j = 1 $adfsTokenEncryptCert | %{ $adfsTokenEncryptCertThumbprint = $_.Certificate.Thumbprint $adfsTokenEncryptCertName = "ADFS Token Encryption Cert (STS) (" + $j + ")" $adfsTokenEncryptCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenEncryptCertThumbprint} If ($adfsTokenEncryptCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenEncryptCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) { $adfsTokenEncryptCertBytesCER = $adfsTokenEncryptCertInLocalStore.export("Cert") [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".cer"), $adfsTokenEncryptCertBytesCER) $adfsTokenEncryptCertBytesPFX = $adfsTokenEncryptCertInLocalStore.export($certype, $privateKeyProtectionPWD1) [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".pfx"), $adfsTokenEncryptCertBytesPFX) } $j += 1 } } }

# +++[E3]+++ Export The ADFS v2.x Configuration To XML Files (On ADFS STS Only!) #Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role #Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server C:\ADFS-MIG\Export-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

# +++[E4]+++ Copy The ADFS v2.x Web Configuration Files (On ADFS STS And ADFS Proxy!) #SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Server-Configuration-Files.ps1" Import-Module WebAdministration $adfsWebPath = (Get-WebApplication "adfs/ls").PhysicalPath Copy-Item $($adfsWebPath + "\*") "C:\ADFS-MIG\Web" -Recurse

# +++[E5]+++ Copy The ADFS v2.x Service Configuration Files (On ADFS STS And ADFS Proxy!) #SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Service-Configuration-File.ps1" If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") { Copy-Item "C:\Program Files\Active Directory Federation Services 2.0\*") "C:\ADFS-MIG\Service" -Recurse } If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") { Copy-Item "C:\Windows\ADFS\*") "C:\ADFS-MIG\Service" -Recurse }

# +++[E6]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy Only!) #SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-PRX.ps1" $privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..." $privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..." If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) { Write-Host "Passwords DO NOT Match..." Write-Host "Aborting..." BREAK } Else { $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx $adfsSvcCommCertThumbprint = (Get-WebBinding "Default Web Site" -protocol https).certificateHash $adfsSvcCommCertName = "ADFS Service Communication Cert (PRX)" $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint} If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) { $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert") [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER) $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1) [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX) } }

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++ CREATE/JOIN/CONFIGURE ADFS ++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

# +++[C1]+++ Create ADFS Farm Using WID And ADFS Managed Self-Signed Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-Self-Signed-Certs.ps1" $adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..." $adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..." $adfsSvcCreds = Get-Credential Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C2]+++ Create ADFS Farm Using WID And CA Issued Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-CA-Issued-Certs.ps1" $adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..." $adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..." $adfsSvcCreds = Get-Credential Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

# +++[C3]+++ Create ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-Self-Signed-Certs.ps1" $adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..." $adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..." $adfsSvcCreds = Get-Credential $sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..." $sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True" Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C4]+++ Create ADFS Farm Using SQL And CA Issued Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-CA-Issued-Certs.ps1" $adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..." $adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..." $adfsSvcCreds = Get-Credential $sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..." $sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True" Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" $adfsTokenSignCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Signing Certificate" $adfsTokenEncryptCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Encryption Certificate" Add-WindowsFeature ADFS-Federation Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

# +++[C5]+++ Join ADFS Farm Using WID And ADFS Managed Self-Signed Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-Self-Signed-Certs.ps1" $adfsSvcCreds = Get-Credential $adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..." Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C6]+++ Join ADFS Farm Using WID And CA Issued Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-CA-Issued-Certs.ps1" $adfsSvcCreds = Get-Credential $adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..." Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C7]+++ Join ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-Self-Signed-Certs.ps1" $adfsSvcCreds = Get-Credential $sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..." $sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True" Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C8]+++ Join ADFS Farm Using SQL And CA Issued Certificates #SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-CA-Issued-Certs.ps1" $adfsSvcCreds = Get-Credential $sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..." $sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True" Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Add-WindowsFeature ADFS-Federation Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C9]+++ Install And Configure Web Application Proxy #SCRIPT NAME --> "C:\ADFS-MIG\Install-And-Configure-Web-Application-Proxy.ps1" Add-WindowsFeature Web-Application-Proxy -IncludeManagementTools $adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..." $adfsAdminCreds = Get-Credential Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap $adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate" Install-WebApplicationProxy -FederationServiceName $adfsSvcFQDN -FederationServiceTrustCredential $adfsAdminCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

# +++[C10]+++ Add/Publish Web Applications Through Web Application Proxy Get-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283413.aspx Get-WebApplicationProxyAvailableADFSRelyingParty --> http://technet.microsoft.com/en-us/library/dn283412.aspx Add-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283409.aspx

++++++++++++++++++++++++++++++++

++++++++++++ IMPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[I1]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!) (Only Works On W2K12R2!!!) #SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-STS-Local-Cert-Store.ps1" $privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText $adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (STS).pfx' If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) { Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD } $adfsTokenSignCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Signing Cert (STS)*.pfx' If (($adfsTokenSignCertPFXFile | Measure-Object).Count -ge 1) { $adfsTokenSignCertPFXFile | %{Import-PfxCertificate -FilePath $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD} } $adfsTokenEncryptCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Encryption Cert (STS)*.pfx' If (($adfsTokenEncryptCertPFXFile | Measure-Object).Count -ge 1) { $adfsTokenEncryptCertPFXFile | %{Import-PfxCertificate $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD} }

# +++[I2]+++ Import The ADFS v2.x Configuration From The XML Files Into ADFS v3.0 #Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role #Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server C:\ADFS-MIG\Import-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

# +++[I3]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy/WAP Only!) (Only Works On W2K12R2!!!) #SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-PRX-Local-Cert-Store.ps1" $privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText $adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (PRX).pfx' If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) { Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD }

A while back I also found a blog post with PowerShell script to quickly deploy both ADFS v3.0 and WAP. You can find that blog post here.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Certificates, Farm, Federation Trusts, Migration, Proxy Service, Security Token Service (STS) | 4 Comments »

(2013-07-19) Required Claims/Permissions To Join An ADFS Proxy To The ADFS Federation Service

Posted by Jorge on 2013-07-19


In this blog post I explain how to install and configure the ADFS Proxy server in ADFS v2.0 (this may also apply to later ADFS versions). When joining the ADFS Proxy server to the federation service you need credentials to achieve that. If you are using the default configuration, you can either use the ADFS service account credentials or some AD user account that has local administrator equivalent permissions. With regards to the default configuration I’m focusing on the “AddProxyAuthorizationRules” in the federation service (Figure 1) and the “Acceptance Transform Rules” in the Active Directory Claims Provider trust (Figure 2).

SNAGHTML1266c42d

Figure 1: The Default ‘AddProxyAuthorizationRules’ In The Federation Service

The ‘AddProxyAuthorizationRules’ in the federation service determine which claims are required to be authorized to join an ADFS Proxy server to the federation. You could even consider the ‘AddProxyAuthorizationRules’ to be the Issuance Authorization Rules of a special internal relying party trust.

image79

Figure 2: Default List Of Acceptance Transform Rules For The Default Claims Provider Trust (AD) In ADFS v2.0

The ‘Acceptance Transform Rules’ are the rules that determine the claims in the security token for the federation service itself after processing the claims in the incoming/received security token from a downstream STS.

In this blog post I explain the bare minimum required claims rules in the Active Directory Claims Provider trust to be able to use ADFS at all as a security token service (STS).

Now based upon those minimum required claims rules in the Active Directory Claims Provider trust lets try to join an ADFS Proxy server to the federation service!

If you want to join the ADFS Proxy server to the federation service through the command line you can use the following steps:

  • Open a Command Prompt window
  • Navigate to “C:\Program Files\Active Directory Federation Services 2.0”
  • Type And Execute: START /WAIT FSPCONFIGWIZARD.EXE /HostName <Federation Service FQDN> /UserName <Federation Service Service Account> /Password <Federation Service Service Account Password>

After starting the federation service proxy wizard, you will see the following screen.

image

Figure 3: The “Welcome” Screen Of The Federation Service Proxy Wizard

After clicking “Next >” you will see the following screen.

image

Figure 4: The “Specify Federation Service Name” Screen Of The Federation Service Proxy Wizard

After specifying the FQDN of the federation service and clicking “Test Connection” you will most likely see the same message stating that connection was successful. Click “OK”. After clicking “Next >” you will see the following screen.

image

Figure 5: The “Enter  Credentials” Screen Of The Federation Service Proxy Wizard

After specifying credentials that have local administrator equivalent permissions on the STS servers and clicking “OK” you may see the following screen.

image

Figure 6: The Error That Mentions You Do Not Have The Correct Credentials To Perform The Join Operation

Hey, wazzup!?

Let’s try to analyze this!

If you start the Event Viewer MMC on the ADFS Proxy server and navigate to the Event Log ADFS 2.0 Admin Event Log (Event Viewer –> Applications And Services Log –> AD FS 2.0 –> Admin) you will see something similar to…

image

Figure 7: An “Access Denied” Error On The ADFS Proxy server

If you start the Event Viewer MMC on the ADFS STS server and navigate to the Event Log Security Event Log (Event Viewer –> Windows Logs) you will see something similar if you have auditing configured (see this blog post) (it may look different if you have more claims rules being processed in the Acceptance Transform Rules of the Active Directory Claims Provider trust!)…

image

Figure 8: An “Access Denied” Error On The ADFS STS server

image

Figure 9: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id a2e78f87-a14a-4d28-8086-fd4e12aceeae. There may be more events with the same instance id with more information.

Instance id:
a2e78f87-a14a-4d28-8086-fd4e12aceeae
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-1302963225-1802291915-4189581584-500
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:00:39.506Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

So, the conclusion here is that we are missing claims to be authorized to join the ADFS Proxy Server to the federation service.

If you look at figure 1 you will see three claims rules exist for the “AddProxyAuthorizationRules”, being:

  1. Permit join if the security token contains a groupsid claim with value “S-1-5-32-544” (which equals to the local administrators group)
  2. Permit join if the security token contains the primarysid of the ADFS service account (assuming it equals to “isProxyTrustManagerSid”)
  3. Permit join if….(can understand this one unfortunately)

Hey that’s strange! The AD user account I’m using is a local administrator on the ADFS STS server and still I cannot join the ADFS Proxy server. I did not change the default “AddProxyAuthorizationRules”, but I did change the default Acceptance Transform Rules Of The Active Directory Claims Provider Trust to have the bare minimal claims rules.

So based upon this analysis it looks that my required groupsid claim is not included in the security token as shown in figure 9.

Therefore, to be able to use an AD user account with local administrator equivalent permissions on the ADFS STS servers you MUST have the following claims rule in place in addition to the bare minimum claims rules.

image

Figure 10: The Claims Rule In The Active Directory Claims Provider Trust Acceptance Transform Rules That Passes-Through The Group SIDs

More Details:

@RuleTemplate = "PassThroughClaims"

@RuleName = "Pass through all Group SID claims"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid&quot;, Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]

=> issue(claim = c);

So after adding this claims rule to the Active Directory Claims Provider Trust Acceptance Transform Rules I retried the join of the ADFS Proxy server to the federation service and now it succeeded!

image

Figure 11: The “Ready To Apply Settings” Screen Confirming The Credentials Were Validated And Correct

image

Figure 12: The Event In The ADFS 2.0/Admin Event Log Acknowledging The Establishment Of The Federation Trust

image

Figure 13: An Event In The Security Event Log Of The ADFS STS Server Stating A Security Token Was Successfully Issued

image

Figure 14: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id: 
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 

Issued identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
3949416d-2770-46e6-8109-c70d929c2abf
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:45:12.790Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

image

Figure 15: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
ADCORP\ADM.ROOT
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-1302963225-1802291915-4189581584-500
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
S-1-5-21-1302963225-1802291915-4189581584-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-1-0
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-544
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-545
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-554
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-32-574
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid

S-1-5-2

image

Figure 16: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-11
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-15
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1908
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1911
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1913
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-520
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1916
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1915
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1706
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1909

image

Figure 17: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1910
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-512
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1912
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1914
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1231
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1243
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1340
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1346
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1240

image

Figure 18: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1241
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1677
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1343
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1338
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1345
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1242
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1232
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1230
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1344
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1235

image

Figure 19: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1341
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1348
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1347
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1350
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1342
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1237
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-518
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1938
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1239
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1339

image

Figure 20: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4
 
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1234
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-519
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1236
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1349
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1238
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-572
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1886
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
S-1-5-21-1302963225-1802291915-4189581584-1889
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
/adfs/services/trust/proxytrustprovisionusername
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
ADCORP\ADM.ROOT

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

Posted by Jorge on 2013-07-06


In the past I described how to install an ADFS Proxy (PRX) Server in this post. This post will focus on UNINSTALLING an ADFS PRX Server.

First you need to uninstall ADFS v2.0

  • Open a Command Prompt Window
  • Open APPWIZ.CPL
  • Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
  • Select Active Directory Federation Services 2.0 and click Uninstall.

Secondly, uninstall IIS as described in the section “Restore IIS on a federation server or federation server proxy computer” from How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0

And last but not least, delete the CA issued certificate from the computer’s personal store if you do not intend to re-use it

  • Open a Command Prompt Window
  • Open MMC
  • Add the Snap-in called “Certificates” and focus on the local computer
  • Navigate to the personal store of the computer, select the certificate that contains the name/FQDN of the federation service in the subject or SAN and delete it

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

Posted by Jorge on 2012-05-11


With this post I want to show you the ADFS v2.0 PRX installation procedure that I used in my test/demo environment. The installation binaries can be downloaded from the internet for W2K8/W2K8R2 from here,  and I also downloaded (at the time of writing) the latest update rollup for ADFS from here. I followed the following installation steps.

After downloading the ADFS installation binaries, double-click it. Then click on “Next >”.

image_thumb4

Figure 1: The Active Directory Federation Services v2.0 Setup Wizard

Check the “I accept the terms in the License Agreement” after reading and accepting the EULA for ADFS v2.0, and then click on “Next >”.

image_thumb7

Figure 2: The Active Directory Federation Services v2.0 Setup Wizard – The EULA

We need to start with the installation of the federation proxy server. In terms of locating and securing the PRX server, you do not need to consider it as an ADFS STS server. The purpose of the ADFS PRX is to locate it on insecure networks or locate it facing insecure networks (e.g. internet). The ADFS PRX is basically a traffic agent without any authority. It just passes security tokens from the ADFS STS to the user and vice versa and allows the automatic exchange of metadata to occur when possible. The ADFS PRX server is not able/allowed to generate any security token with any claim like an ADFS STS server. Therefore, anyone in control of the PRX server is not able to do anything.

The ADFS PRX server does not need to be domain joined, but it could be if you want to leverage centralized administration and policy management through AD.

Because we need an PRX server, select the federation proxy server option.

image

Figure 3: The Active Directory Federation Services v2.0 Setup Wizard – Installing An PRX Server

Click on “Next >”.

image

Figure 4: The Active Directory Federation Services v2.0 Setup Wizard – Prerequisite Software

Now, just be patient.

image

Figure 5: The Active Directory Federation Services v2.0 Setup Wizard – Installation Of Binaries In Progress

Make sure to have the option “Start the AD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes” checked and click on “Finish”.

image

Figure 6: The Active Directory Federation Services v2.0 Setup Wizard – Installation Finished

If IIS was not pre-installed and/or if the default website was not already configured with a SSL certificate, the following error will appear. Read it carefully and click on “OK”. It is recommended to FIRST get a certificate and then connect the ADFS PRX server to the ADFS STS server(s).

image

Figure 7: Error When SSL Has Not Been Configured On The Default Website

If the ADFS PRX server is domain joined, you can request an SSL certificate using the next steps. If the ADFS PRX server is operating as non-domain joined. You will need to do an offline certificate request and then manually deploy it to ADFS PRX server(s).

For now I’m assuming it is domain joined as that is easier to describe! Smile

For more information about the certificates in use by ADFS see:

In this case I’m going to use certificate from the CA in my test/demo environment.

Start the Certificates MMC on the ADFS PRX server and target the local computer. To request a certificate navigate to “Certificates (Local Computer)” –> Personal –> Certificates. Right-click the last one and then “All Tasks” –> “Request New Certificate”.

image_thumb23_thumb

Figure 8: Requesting A New Certificate

Click on “Next >”.

image_thumb25_thumb

Figure 9: Certificate Enrollment – Before You Begin

In this select the “Active Directory Enrollment Policy” and click on “Next”.

image_thumb27_thumb

Figure 10: Certificate Enrollment – Certificate Enrollment Policy

For this certificate you can leverage the “Web Server” certificate template. Select the “Web Server” certificate template, click on details to expand for more information and click on “Properties”.

image_thumb30_thumb

Figure 11: Selecting The “Web Server” Certificate Template

For the Service Communication (SSL) Certificate, targeting the “Subject” TAB, provide the service name (e.g. FS.ADCORP.LAB) as the subject name (Type = Common Name) and as the alternate name (Type = DNS). The ADFS PRX server must also be reachable using the ADFS federation service name (e.g. FS.ADCORP.LAB). In addition to that, the ADFS PRX server itself must be able to access the ADFS STS server(s) using the exact same ADFS federation service name (e.g. FS.ADCORP.LAB). How you achieve that really depends on the DNS name resolution setup internally, in the DMZ and on the internet. But, that’s a totally different story I hope to describe another day. Unfortunately, today is not that day.

image

Figure 12a: Service Communication (SSL) Certificate – Subject Name And Alternate Name

For the Service Communication (SSL) Certificate, targeting the “General” TAB, provide the friendly name (e.g. Service Communication Cert For ADFS-PRX) and the description.

image

Figure 12b: Service Communication (SSL) Certificate – Friendly Name And Description

For the Service Communication (SSL) Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

image

Figure 12c: Service Communication (SSL) Certificate – Configuring Private Key To Be Exportable

Click on “Enroll” to actually enroll the certificate.

image_thumb41_thumb

Figure 13: Enrolling The Certificate

Click on “Finish”

image_thumb43_thumb

Figure 14: Finishing The Certificate Enrollment

Now by using the IIS MMC you need to make sure the default website has an HTTPS (SSL) binding (port 443) and also uses the just enrolled SSL certificate.

image

Figure 15: HTTPS (Port 443) Binding Using The Service Communication Certificate For The ADFS-PRX

Also make sure to enforce SSL as shown in the picture below.

image

Figure 16: Enforcing The Use Of SSL For The Default Website

Now from the Start Menu, start the AD FS 2.0 Federation Server Proxy Configuration Wizard and then click on “Next >”.

image

Figure 17: The Active Directory Federation Server Proxy Configuration Wizard

Type the federation service name (e.g. FS.ADCORP.LAB) that was also used when installing the ADFS STS servers

image

Figure 18: Specifying The Federation Service Name

To make sure you can connect the ADFS PRX server to the ADFS STS server(s), you should first test the connection by clicking on “Test Connection”. If the connection if successful you will see the acknowledgement an then click on “OK”. If not, you will receive an error. Click on “Next >”.

image

Figure 19: Testing The Connection From The ADFS PRX Server To The ADFS STS Server (s)

To actually connect the ADFS PRX to the ADFS STS servers, you need to provide credentials. Those credentials can either be the credentials for the ADFS service account used on the ADFS STS servers, or be any account that has local administrative permissions on the ADFS STS server(s). Therefore, enter credentials and click on “OK”.

image

Figure 20: Specifying The Credentials To Connect The ADFS PRX Server To The ADFS STS Server(s)

When successful, the following will appear. Click on “Next >” to configure the local ADFS PRX server.

image

Figure 21: Configuration Summary Of The Local ADFS PRX Server

The ADFS PRX is being configured. Be patient.

image

Figure 22: Actual Configuration Of The Local ADFS PRX Server

When the actual configuration is done, click on “Close”.

image

Figure 23: The Configuration Of The Local ADFS PRX Server Finished

Now it is time to update the ADFS role. After downloading the ADFS rollup package, extract it and double-click the MSU file. Then click “YES”.

image_thumb19

Figure 24: Confirming The Installation Of The ADFS Rollup Package 1

Click on “Restart Now” to restart the server.

image_thumb21

Figure 25: Finalizing The Installation Of The ADFS Rollup Package

To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):

  1. https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx
  2. https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

[1] –> https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx

First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.

image_thumb[1]

Figure 26: Testing ADFS Deployment – Home Realm Discovery

As soon as you click on “continue to sign in” it will ask you to provide credentials. This does assume you are not using Windows Integrated Authentication (in that case the federation service FQDN is NOT added to the Local Intranet Zone in IE). The collection of the credentials is either Windows based of forms based, whatever you have configured. On a ADFS STS it most likely is Windows based as that is the default! If you want to use Windows Integrated Authentication you must add the federation service FQDN to the Local Intranet Zone in IE. On a PRX forms based is the default

image_thumb[3]

Figure 27: Testing ADFS Deployment – Providing Credentials

image_thumb[5]

Figure 28: Testing ADFS Deployment – Successful Logon

[2] –> https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

As soon as you enter the URL and hit ENTER, you might end up in seeing a BLANK page. To actually see the federation metadata, click IN ADDITION on the “Compatibility View” button in IE. You will then see the following.

image_thumb[9]

Figure 29: Testing ADFS Deployment – Federation Metadata

With regards to ADFS, also see the following resource with lots of information:

ADFS Related Videos:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Proxy Service | 4 Comments »

 
%d bloggers like this: